Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byAndrew Haynes Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Attacking Web Services Jason Alexander Jason.alexander@owasp.org 17.03.2010

2 OWASP 2 What are Web Services?  No single definition  SOA, SOAP, REST, XML, WSDL, UDDI “ A web service is a software component developed to support interoperability over a network using an interface described in WSDL. Other systems communicate with the web service using SOAP messages that are typically transported using the HTTP protocol with XML messaging.”

3 OWASP What are Web Services..cont  For our purposes, web services are communication protocols that:  Use XML as the base meta language  Provide computer to computer communication  Use standard protocols, often in line with W3C, OASIS and WS-I  Designed to be platform and transport independent 3

4 OWASP What are Web Services..cont  Why are they popular? -Quote “lets expose our mainframe API’s through SOAP and use plentiful Java developers on Win/Lin instead of rare CICS developers on expensive mainframes to extend system functionality”  With an argument like that, what PHB could say no? 4

5 OWASP What are Web Services..cont  Usually deployed over port 80/443 Web Services We poke holes in your firewall so you don’t have to OR FBP -Firewall bypass protocol 5

6 OWASP Threats  All the “usual suspects”  Injection Attacks  Scripting Attacks  Broken Authentication  Security Mis-configuration  OWASP Top 10 any one? And more……… 6

7 OWASP Attacking Web Services  Follows basic concept of Web Application attacks  Discovery  Enumeration & information Gathering  Identifying Attack Vectors  Exploitation  Whitebox assessment – code analysis 7

8 OWASP Discovery  Find Web Services entry points  This is in the WSDL  How to find the WSDL?  UDDI –Universal Description Discovery and Integration  UBR – Universal Business Registry  Google is your friend !  inurl:wsdl site:example.com 8

9 OWASP Discovery..cont 9

10 OWASP Discovery..cont 10

11 OWASP Discovery..cont  Google Sample inurl:wsdl site:nhs.uk  www.show.scot.nhs.uk/FindNearest/findnearest.asmx ?WSDL  www.nhshighland.scot.nhs.uk/Search/_vti.../search.a smx?WSDL  www.uhsm.nhs.uk/_vti_bin/sites.asmx?wsdl www.uhsm.nhs.uk/_vti_bin/sites.asmx?wsdl  Crawling technique  wget –l 50 –r http://192.168.1.10http://192.168.1.10  Find. –name *wsdl* 11

12 OWASP Enumeration & information Gathering  Standard Web application enumeration  telnet 192.168.1.10 80  HEAD / HTTP/1.0  HTTP/1.1 200 OK  Server Microsoft-IIS/5.0  X-Powered-By:ASP.net 12

13 OWASP Enumeration & information Gathering..cont  WSDL – All an attacker needs to know to interface with the service  Auto-Generated by WS framework  Generally not created or consumed by humans  No access controls generally enforced on WSDL’s  Do you really need to provide a WSDL ????? 13

14 OWASP Enumeration & information Gathering..cont  WSDL Example: Ebay Price Watching 14 <definitions name="eBayWatcherService" targetNamespace= "http://www.xmethods.net/sd/eBayWatcherService.wsdl" xmlns:tns="http://www.xmethods.net/sd/eBayWatcherServic e.wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <input message="tns:getCurrentPriceRequest" name="getCurrentPrice"/> <output message="tns:getCurrentPriceResponse" name="getCurrentPriceResponse"/> <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> <soap:body use="encoded" namespace="urn:xmethods-EbayWatcher" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" /> <soap:body use="encoded" namespace="urn:xmethods-EbayWatcher" encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" />

15 OWASP Enumeration & information Gathering..cont  Using Tools to profile web services  wsKnight  Wsdigger  SoapUI etc DEMO 15

16 OWASP Attack Vectors  Most of the web application attack vectors can be applied to web services  Injection & Scripting attacks apply  Specific SOAP orientated attacks  XML Poisoning  SOAP message brute forcing  SOAP parameter manipulation  XML parser attacks  Could take a whole lot of time to discuss all attacks! 16

17 OWASP Attack Vectors..cont  Spot the attack! <SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/1999/XMLSchema"> ' default 17

18 OWASP Attack Vectors..cont DEMO 18

19 OWASP Counter Measures  Do you need a WSDL?  Has it been sanitised?  Secure coding. Utilise OWASP resources  OWASP Coding guide – Input validation  OWASP TOP 10  OWASP Testing Guide  OWASP WS project – needs volunteers  http://www.owasp.org/index.php/Category:OWASP_Web_Servic es_Security_Project http://www.owasp.org/index.php/Category:OWASP_Web_Servic es_Security_Project 19

20 OWASP Counter Measures..cont  Protect messages in transit  TLS is the BEST option and fits most models  XML signing and encryption have their uses but are difficult to implement  WS-Security  Web Application Firewalls (WAF)  Do they work in a SOAP/XML environment?  New breed of technology – XML gateways!  Regular firewalls do not work! 20

21 OWASP Resources  DISCO: http://msdn.microsoft.com/en-us/magazine/cc302073.aspxhttp://msdn.microsoft.com/en-us/magazine/cc302073.aspx  UDDI OASIS Standard: http://www.oasis-open.org/specs/index.php#uddiv3.0.2http://www.oasis-open.org/specs/index.php#uddiv3.0.2  Understanding UDDI: http://www-128.ibm.com/developerworks/webservices/library/ws-featuddi/index.htmlhttp://www-128.ibm.com/developerworks/webservices/library/ws-featuddi/index.html  WebServices Testing: http://www.aboutsecurity.nethttp://www.aboutsecurity.net Tools  Net Square wsPawn  OWASP WebScarab: Web Services plugin OWASP WebScarab  Mac OSX Soap Client: http://www.ditchnet.org/soapclienthttp://www.ditchnet.org/soapclient  Foundstone WsDigger: http://www.foundstone.com/us/resources/proddesc/wsdigger.htmhttp://www.foundstone.com/us/resources/proddesc/wsdigger.htm  SoapBox http://www.vordel.com/products/soapbox/http://www.vordel.com/products/soapbox  SoapUI: http://www.soapui.org/http://www.soapui.org  SOAPClient4XG: http://www-128.ibm.com/developerworks/xml/library/x-soapcl/http://www-128.ibm.com/developerworks/xml/library/x-soapcl/  CURL: http://curl.haxx.sehttp://curl.haxx.se On-line tools  Web Services Directory: http://www.wsindex.orghttp://www.wsindex.org  Seekda: http://seekda.com/http://seekda.com/  UDDI Browser: http://www.soapclient.com/http://www.soapclient.com/  Xmethods: http://www.xmethods.nethttp://www.xmethods.net  WSIndex: http://www.wsindex.orghttp://www.wsindex.org 21

22 OWASP References  www.owasp.orgwww.owasp.org  Hacking web services by Sheeraj Shah  How to Break Web Software by Mike Andrews and James Whittaker  Attacking Web Services by Alex Stamos 22

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

웹 서비스 개요.

웹 서비스 개요.
18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.
Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
Web Services Copyright © 2000-2007 Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.

Web Services Copyright © Liferay, Inc. All Rights Reserved. No material may be reproduced electronically or in print without written permission.
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.

Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.

Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
6/11/2015Page 1 Web Services-based Distributed System B. Ramamurthy.

6/11/2015Page 1 Web Services-based Distributed System B. Ramamurthy.
Web Services Seppo Heikkinen MITA seminar/TUT 5.11.2003.

Web Services Seppo Heikkinen MITA seminar/TUT
CSE 636 Data Integration Web Services.

CSE 636 Data Integration Web Services.
2006 IEEE International Conference on Web Services ICWS 2006 Overview.

2006 IEEE International Conference on Web Services ICWS 2006 Overview.
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou www.netmode.ntua.gr 9/06/2009.

ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
And so on CGI programming Web Services Java Programs for the Web.

And so on CGI programming Web Services Java Programs for the Web.
Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.

Web Services Michael Smith Alex Feldman. What is a Web Service? A Web service is a message-oriented software system designed to support inter-operable.
Web service testing Group D5. What are Web Services? XML is the basis for Web services Web services are application components Web services communicate.

Web service testing Group D5. What are Web Services? XML is the basis for Web services Web services are application components Web services communicate.
TP2653 Adv Web Programming SOAP and WSDL. SOAP Simple Object Access Protocol – Lightweight XML-based messaging protocol – A protocol for accessing a Web.

TP2653 Adv Web Programming SOAP and WSDL. SOAP Simple Object Access Protocol – Lightweight XML-based messaging protocol – A protocol for accessing a Web.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Similar presentations

Ads by Google